Connect Azure Security Center to Azure Sentinel programatically

Previously you knew how to integrate Azure Security Center to Azure Sentinel to make sure alerts are tracked as incidents in Azure Sentinel. Now you have decided to connect many Azure Security Center to your Azure Sentinel.

This article is not going to walk through step-by-step guidance on how to connect ASC to Azure Sentinel. Instead it provides some notes on how to programtically interacts with Azure Sentinel, as well as the sample script to help you complete your job.

TL;DR: You can skip this article and use the script from here https://github.com/azsec/azure-sentinel-tools/tree/master/scripts

Azure Sentinel API

In fact there is Azure Sentinel API but Microsoft seems to be still finalizing and improving it. If you remember the original name of Azure Sentinel  РAzure Security Insights so Azure Sentinel API actually still uses the old name.

For working with connector specifically, the request Uri looks like as follows:

https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/dataConnectors/" + $connectorName + "?api-version=2019-01-01-preview
  • WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.
  • ConnectorName is a little tricky. It should be in format of GUID so that wouldn’t conflict during API operation call (especially when you are in testing).

The request body looks straightforward. Make sure you follow the casing unless you will encounter error about parsing data.

{
    "name": "2dd8cb59-ed12-4755-a2bc-356c212fbafc",
    "etag": "1c2672be-409a-4893-8b4f-f2802dcb744e",
    "kind": "AzureSecurityCenter",
    "properties": {
        "dataTypes": {
            "alerts": {
                "state": "Enabled"
            }
        },
        "SubscriptionId": "2dd8cb59-ed12-4755-a2bc-356c212fbafc"
    }
}

Azure Security Center Standard Tier

You do need to ensure your Azure Security Center is using Standard plan. Unless Azure Sentinel doesn’t allow ASC to be connected to.

Subscription named Development is using ASC Free tier.

You don’t have to enable Standard tier in all resource types.

Now you are good to go!

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

3 Responses to Connect Azure Security Center to Azure Sentinel programatically

  1. Pingback: Audit your Azure Security Center in your tenant - All about security on Microsoft AzureAll about security on Microsoft Azure

  2. Pingback: Working with Azure Security Center Alert from Azure Sentinel - All about security on Microsoft AzureAll about security on Microsoft Azure

  3. Pingback: Extract all Azure Sentinel incidents - All about security on Microsoft AzureAll about security on Microsoft Azure

Leave a Reply